Security recommendations

April 17, 2019

Contributed by:
BC

Session Recording is designed to be deployed within a secure network and accessed by administrators, and as such, is secure. Out-of-the-box deployment is designed to be simple and security features such as digital signing and encryption can be configured optionally.

Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Ensure that you properly isolate the different administrator roles in the corporate network, in the Session Recording system, or on individual machines. By not doing so, security threats that can impact the system functionality or abuse the system might occur. Citrix recommends that you assign different administrator roles to different persons or accounts that you do not allow general session users to have administrator privileges to the VDA system.

XenApp and XenDesktop administrators should not grant VDA local admin role to any users of published apps or desktops. If the local admin role is a requirement, protect the Session Recording Agent components with Windows mechanisms or third-party solutions.

Citrix recommends that you do not assign VDA administrator privileges to general session users, especially when using Remote PC Access.

Session Recording Server local administration account must be strictly protected.

Control access to machines installed with Session Recording Player. If a user is not authorized as the Player role, do not grant that user local administrator role for any player machine. Disable anonymous access.

Citrix recommends using a physical machine as a storage server for Session Recording.

Session Recording records session graphics activities without regard to the sensitivity of the data. Under certain circumstances, sensitive data (including but not limited to user credentials, privacy information, and third-party screens) might be recorded unintentionally. Take the following measures to prevent risks:

Session owners should notify attendees that online meetings and remote assistance software might get recorded if a desktop session is being recorded.

Ensure that logon credentials or security information does not appear in all local and Web applications published or used inside the corporation or they are recorded by Session Recording.

Users should close any application that might expose sensitive information before switching to a remote ICA session.

We recommend only automatic authentication methods (for example, single sign on, smartcard) for accessing published desktops or Software as a Service (SaaS) applications.

Session Recording relies on certain hardware and hardware infrastructure (for example, corporate network devices, operation system) to function properly and to meet security needs. Take measures at the infrastructure levels to prevent damage or abuse to those infrastructures and make the Session Recording function secure and reliable.

Set the access control list (ACL) for Message Queuing (MSMQ) on the Session Recording Server to restrict VDA or VDI machines that can send MSMQ data to the Session Recording Server and prevent unauthorized machines from sending data to the Session Recording Server.

Install server feature Directory Service Integration on each Session Recording Server and VDA or VDI machine where Session Recording is enabled, and then restart the Message Queuing service.

From the Windows Start menu on each Session Recording Server, open Administrative Tools > Computer Management.

Open Services and Applications > Message Queuing > Private Queues.

Click on the private queue citrixsmauddata to open the Properties page and select the Security tab.

Add the computers or security groups of the VDAs that will send MSMQ data to this server and grant them the Send Message permission.

Properly protect the event log for the Session Record Server and Session Recording Agents. We recommend leveraging a Windows or third-party remote logging solution to protect the event log or redirect the event log to the remote server.

Ensure that servers running the Session Recording components are physically secure. If possible, lock these computers in a secure room to which only authorized personnel can gain direct access.

Isolate servers running the Session Recording components on a separate subnet or domain.

Protect the recorded session data from users accessing other servers by installing a firewall between the Session Recording Server and other servers.

Keep the Session Recording Admin Server and SQL database up to date with the latest security updates from Microsoft.

Restrict non-administrators from logging on to the administration machine.

Strictly limit who is authorized to make recording policy changes and view recorded sessions.

Install digital certificates, use the Session Recording file signing feature, and set up TLS communications in IIS.

Set up MSMQ to use HTTPS as its transport by setting the MSMQ protocol listed in Session Recording Agent Properties to HTTPS. For more information, see Troubleshoot MSMQ.

Set the SSL Cipher Suite Order policy to Enabled. By default, this policy is set to Not Configured.

Remove any RC4 cipher suites.

Use playback protection. Playback protection is a Session Recording feature that encrypts recorded files before they are downloaded to the Session Recording Player. By default, this option is enabled and is in Session Recording Server Properties.

Restart the computer.
2. Log on to the computer hosting the Session Recording Policy Console to apply the latest hotfix rollup of .NET Framework and set strong cryptography for .NET Framework (version 4 or later). The method for setting strong cryptography is same as substeps 1-d and 1-e. You can omit these steps if you choose to install the Session Recording Policy Console on the same computer as the Session Recording Server.

To configure the TLS 1.2 support for SQL Server with versions earlier than 2016, see https://support.microsoft.com/en-us/kb/3135244. To leverage TLS 1.2, configure HTTPS as the communication protocol for the Session Recording components.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.